Customer data stolen in cyber attack, M&S confirms

Marks & Spencer has revealed that some personal customer data was stolen during a cyber attack that has crippled its online operations for more than three weeks.

The high street giant disclosed on Tuesday that personal information taken could include names, dates of birth, telephone numbers, home addresses, household information, email addresses and online order histories. However, the company stressed that the data does not include useable payment or card details, which it does not hold on its systems, nor any account passwords.

Stuart Machin, chief executive officer at M&S, said: "Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken."

He added: "Importantly, there is no evidence that the information has been shared."

The company has not disclosed how many customers have been affected by the data breach but said customers would be prompted to reset their passwords "for extra peace of mind" the next time they log into their M&S accounts.

In an email to customers, Jayne Wall, operations director at M&S, advised: "You do not need to take any action, but you might receive emails, calls or texts claiming to be from M&S when they are not, so do be cautious. Remember that we will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password."

M&S began experiencing problems with its systems on 25 April, initially affecting in-store payments before spreading to other parts of the organisation. The retailer has been unable to take online orders since then as it attempts to resolve the issues.

The retailer's share price has fallen 15 per cent since the Easter weekend when problems with orders first started. Analysts at Deutsche Bank estimated earlier this month that the profit hit would have been at least £30 million, with the run rate at about £15 million a week.

The company stated it had taken steps to protect its systems and engaged leading cybersecurity experts. It has also reported the incident to relevant government authorities and law enforcement.

The Information Commissioner's Office previously confirmed it had received reports from M&S and was working closely with the National Cyber Security Centre on the matter.

Machin said the company was "working around the clock to get things back to normal" as quickly as possible.



Share Story:

Recent Stories


The future-ready CFO: Driving strategic growth and innovation
This National Technology News webinar sponsored by Sage will explore how CFOs can leverage their unique blend of financial acumen, technological savvy, and strategic mindset to foster cross-functional collaboration and shape overall company direction. Attendees will gain insights into breaking down operational silos, aligning goals across departments like IT, operations, HR, and marketing, and utilising technology to enable real-time data sharing and visibility.

The corporate roadmap to payment excellence: Keeping pace with emerging trends to maximise growth opportunities
In today's rapidly evolving finance and accounting landscape, one of the biggest challenges organisations face is attracting and retaining top talent. As automation and AI revolutionise the profession, finance teams require new skillsets centred on analysis, collaboration, and strategic thinking to drive sustainable competitive advantage.